b'OFFICE OF INSPECTOR GENERAL\n\n\nAUDIT OF USAID\xe2\x80\x99s\nIMPLEMENTATION OF\nINTERNET PROTOCOL\nVERSION 6\nAUDIT REPORT NO. A-000-08-006-P\nSeptember 4, 2008\n\n\n\n\nWASHINGTON, DC\n\x0cOffice of Inspector General\n\n\nSeptember 4, 2008\n\nMEMORANDUM\n\nTO:                  Acting Chief Information Officer, Phil Heneghan\n\nFROM:                IG/A/ITSA, Director, Melinda Dempsey /s/\n\nSUBJECT:             Audit of USAID\xe2\x80\x99s Implementation of Internet Protocol Version 6\n                     (Audit Report No. A-000-08-006-P)\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report on the subject audit.\nThe report contains no recommendations. In finalizing the report, we considered your written\ncomments on our draft report and included those comments in their entirety in appendix II of this\nreport.\n\nI appreciate the cooperation and courtesies extended to my staff during this audit by members\nof your office.\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0cCONTENTS\nSummary of Results ....................................................................................................... 1\n\nBackground ..................................................................................................................... 3\n\nAudit Objectives ................................................................................................................ 5\n\nAudit Findings ................................................................................................................. 6\n\nDid USAID develop a complete inventory of existing\nInternet Protocol version 6 compliant devices in\naccordance with Office of Management and Budget\nguidance? ........................................................................................................................ 6\n\nDid USAID complete an analysis to determine the fiscal\nand operational impacts and risks of migrating to Internet\nProtocol version 6 in accordance with Office of\nManagement and Budget Guidance? ............................................................................... 7\n\nEvaluation of Management Comments ......................................................................... 9\n\nAppendix I \xe2\x80\x93 Scope and Methodology .......................................................................... 10\n\nAppendix II \xe2\x80\x93 Management Comments ......................................................................... 12\n\x0cSUMMARY OF RESULTS\nInternet Protocol (IP) addresses are a fundamental part of the Internet. Every device\nconnected to the Internet needs an IP address that is represented by a unique number.\nCurrently, two types of IP addresses are in active use worldwide: IP version 4 (IPv4)\nand IP version 6 (IPv6). IPv4 is the most commonly used version in the United States,\nwith the capacity to support about 4.3 billion unique addresses. IPv6 was developed to\naddress concerns over expected emerging demands for limited IPv4 addresses.\nAlthough differing views exist within the Internet industry as to the pace of demand for\nthe remaining IPv4 addresses, demand for IP addresses is expected to increase as\nmore and more of the world\xe2\x80\x99s population requests Internet access and uses electronic\ndevices that require an IP address. IPv6 is intended to meet this future demand with a\ncapacity to support about 3.4\xc3\x971038 unique addresses. Consequently, use of both IPv4\nand IPv6 is expected to overlap for some time. The hardware and software\ninfrastructure needed to support both IPv4 and IPv6 presents a challenge to the Federal\nGovernment (page 3).\n\nTo guide Federal Government agencies in their transition to IPv6, in August 2005 the\nOffice of Management and Budget (OMB) issued memorandum M-05-22, \xe2\x80\x9cTransition\nPlanning for Internet Protocol Version 6 (IPv6),\xe2\x80\x9d which outlined a transition strategy for\nagencies to follow and established the goal for all Federal agency backbone 1 networks\nto support IPv6 by June 30, 2008 (page 3).\n\nThe Office of Inspector General, Information Technology and Special Audits Division, in\nWashington, DC, conducted this audit to answer the following questions (page 5):\n\n    1. Did USAID develop a complete inventory of existing Internet Protocol version 6\n       compliant devices in accordance with Office of Management and Budget\n       guidance?\n\n    2. Did USAID complete an analysis to determine the fiscal and operational impacts\n       and risks of migrating to Internet Protocol version 6 in accordance with Office of\n       Management and Budget guidance?\n\nUSAID substantially complied with OMB\xe2\x80\x99s memorandum M-05-22 guidance for\ncompleting an inventory of network core requirements (page 6) and for completing its\nimpact analysis of migrating to IPv6 (pages 7\xe2\x80\x938). Furthermore, the Agency plans to\nconduct and complete its testing of IPv6 with external peers at the Federal\nCommunications Commission and the Department of State prior to OMB\xe2\x80\x99s stipulated\nJune 30, 2008, milestone date (page 5). 2 Upon completion of the IPv6 demonstration\n\n1\n   Network backbone, similarly denoted as \xe2\x80\x9cbackbone network,\xe2\x80\x9d is defined by the Federal Chief\nInformation Officers Council\xe2\x80\x99s IPv6 Working Group as the set of network transport devices (e.g.,\nrouters, switches) that provide the highest level of traffic aggregation and the highest level of\nhierarchy in the network. Federal agencies must specify device types, number of devices, and\nconnectivity between devices that constitute their operational core backbone network.\n2\n   Subsequent to the fieldwork, the Agency notified OMB on June 10, 2008, that it had completed\nits IPv6 demonstration test through the Internet with external peers in March 2008. The OIG did\nnot review the IPv6 demonstration test results.\n\n\n                                                                                               1\n\x0ctests, the Agency intends to disable IPv6 functionality on its production network\nbackbone but continue testing IPv6 products in a test lab environment (page 8).\n\nThe U.S. Government technical requirements and standards representing IPv6 continue\nto evolve. The National Institute of Standards and Technology is working on its\npublication \xe2\x80\x9cA Profile for IPv6 in the U.S. Government \xe2\x80\x93 Version 1.0, Special Publication\n500-267 (2nd draft)\xe2\x80\x9d and associated proposed testing program to provide the technical\nbasis upon which long-term U.S. Government IPv6 adoption plans and policies can be\nbased. The profile is not intended for near-term uses (e.g., the June 2008 requirements\nin M-05-22) but as a forward-looking strategic plan for 2010 and beyond. Additionally,\nthe profile acknowledges that \xe2\x80\x9cwhile significant commercial implementations have and\ncontinue to emerge, broad vendor product lines are currently at varying levels of maturity\nand completeness. Until there is time for significant market forces to effectively define\nde facto standard levels of completeness and correctness, product testing services are\nlikely needed to ensure the confidence and to protect the investment of early IPv6\nadopters\xe2\x80\x9d (pages 7\xe2\x80\x938).\n\nHowever, the testing services and the standards on which testing would be based have\nnot been finalized. In the absence of an IPv6 compliance testing standard, USAID has\nrelied on vendor representations and its own testing efforts for IPv6 capability. USAID\nhas been identifying and replacing non-IPv6 network backbone equipment as part of its\nmultiyear technology refresh program to replace older equipment (page 8).\n\nThis audit is not making any recommendations at this time. In response to the draft\nreport, USAID has no comments in regard to the report\xe2\x80\x99s findings. USAID\xe2\x80\x99s comments\nare included in their entirety in appendix II of this report (see page 12).\n\n\n\n\n                                                                                        2\n\x0cBACKGROUND\nInternet Protocol (IP) addresses are a fundamental part of the Internet. Every device\nconnected to the Internet needs an IP address that is represented by a unique number.\nCurrently, two types of IP addresses are in active use worldwide: IP version 4 (IPv4)\nand IP version 6 (IPv6). IPv4 was initially deployed in January 1983 and is still the most\ncommonly used version in the United States. IPv4 addresses, which are based on 32-bit\nnumbers, can support about 4.3 billion unique addresses. Deployment of the IPv6\nprotocol began in 1999. IPv6 was developed to address concerns over expected\nemerging demands for limited IPv4 addresses. IPv6 addresses are based on 128-bit\nnumbers with the capacity to support about 3.4\xc3\x971038 unique addresses. Although\ndiffering views exist within the Internet industry as to the pace of demand for the\nremaining IPv4 addresses, demand for IP addresses is expected to increase as more of\nthe world\xe2\x80\x99s population requests Internet access and uses electronic devices that require\nIP addresses. IPv6 is intended to meet this increased future demand. Consequently,\nuse of both IPv4 and IPv6 is expected to overlap for some time. The hardware and\nsoftware infrastructure needed to support both IPv4 and IPv6 presents a challenge to the\nFederal Government.\n\nTo guide Federal Government agencies in their transition for IPv6, in August 2005 the\nOffice of Management and Budget (OMB) issued memorandum M-05-22, \xe2\x80\x9cTransition\nPlanning for Internet Protocol Version 6 (IPv6),\xe2\x80\x9d which established the goal for all\nFederal agency backbone 3 networks to support IPv6 by June 30, 2008. OMB\nmemorandum M-05-22 identifies several key milestones and requirements for all Federal\nagencies to follow in support of the June 30, 2008, transition date:\n\n                By November 15, 2005\n                   \xe2\x80\xa2 Identify an IPv6 agency lead.\n                   \xe2\x80\xa2 Complete an inventory of IP-aware devices in its network\n                      backbone.\n                By February 28, 2006\n                   \xe2\x80\xa2 Develop a network backbone transition plan for IPv6.\n                   \xe2\x80\xa2 Complete an IPv6 progress report.\n                By June 30, 2006\n                   \xe2\x80\xa2 Complete an inventory of IP-aware applications and peripherals\n                      with dependencies on its network backbone.\n                   \xe2\x80\xa2 Complete an IPv6 transition impact analysis.\n                By June 30, 2008\n                   \xe2\x80\xa2 Complete network backbone transition to IPv6.\n\n\n\n\n3\n   Network backbone, similarly denoted as \xe2\x80\x9cbackbone network,\xe2\x80\x9d is defined by the Federal Chief\nInformation Officers Council\xe2\x80\x99s IPv6 Working Group as the set of network transport devices (e.g.,\nrouters, switches) that provide the highest level of traffic aggregation and the highest level of\nhierarchy in the network. Federal agencies must specify device types, number of devices, and\nconnectivity between devices that constitute their operational core backbone network.\n\n\n                                                                                               3\n\x0cAdditionally, OMB M-05-22 tasked\xe2\x80\x94\n\n   \xe2\x80\xa2   The National Institute of Standards and Technology (NIST) to develop a standard\n       to address IPv6 compliance for the Federal Government,\n   \xe2\x80\xa2   The General Services Administration and Federal Acquisition Regulation Council\n       to develop a suitable Federal Acquisition Regulation (FAR) amendment for use\n       by all agencies, and\n   \xe2\x80\xa2   The Federal Chief Information Officers Council\xe2\x80\x99s (CIOC) Architecture and\n       Infrastructure Committee to develop additional IPv6 transitional guidance for\n       Federal agencies.\n\nIn January 2008, NIST issued a second draft for public comment on IPv6 compliance, \xe2\x80\x9cA\nProfile for IPv6 in the U.S. Government \xe2\x80\x93 Version 1.0, Special Publication 500-267.\xe2\x80\x9d\nNIST issued its first draft for public comment in February 2007. The General Services\nAdministration, the Department of Defense, and the National Aeronautics and Space\nAdministration issued a notice of a proposed rule in August 2006, FAR Case 2005-041,\nwhich would require IPv6-capable products to be included in information technology\nprocurements to the maximum extent possible; however, this proposed rule has not\nbeen finalized as of the date of this report. The CIOC has finalized several documents in\nsupport of OMB M-05-22 to assist Federal agencies; these include \xe2\x80\x9cIPv6 Transition\nGuidance,\xe2\x80\x9d issued in February 2006, and \xe2\x80\x9cDemonstration Plan to Support Agency IPv6\nCompliance,\xe2\x80\x9d issued in January 2008.\n\nAccording to the CIOC\xe2\x80\x99s transitional guidance \xe2\x80\x9cDemonstration Plan to Support Agency\nIPv6 Compliance,\xe2\x80\x9d the requirements for June 30, 2008, are for the network backbone\n(i.e., core) only. IPv6 does not actually have to be operationally enabled by June 30,\n2008. However, network backbones must be ready to pass IPv6 traffic and support IPv6\naddresses. Agencies are expected to verify this new capability through testing activities\nand must be able to demonstrate that they can perform at least the following functions,\nwithout compromising IPv4 capability or network security, by June 30, 2008:\n\n   \xe2\x80\xa2   Transmit IPv6 traffic from the Internet and external peers, through the network\n       backbone (core) to the local area network (LAN).\n   \xe2\x80\xa2   Transmit IPv6 traffic from the LAN, through the network backbone (core), out to\n       the Internet and external peers.\n   \xe2\x80\xa2   Transmit IPv6 traffic from the LAN, through the network backbone (core), to\n       another LAN (or another node on the same LAN).\n\nFor these demonstrations, the CIOC defined a LAN as desktop or laptop personal\ncomputers configured to send and receive IPv6 packets and connected to a network\nbackbone with IPv6-enabled networking equipment. External networks can belong to\nanother agency, an Internet service provider, or another organization capable of\ntransmitting IPv6 traffic. The testing of other information technology assets (e.g.,\napplications) is not required for the June deadline.\n\nUSAID plans to conduct and complete its testing of IPv6 on its network backbone with\nthe Federal Communications Commission and the Department of State prior to OMB\xe2\x80\x99s\nstipulated June 30, 2008, deadline.\n\n\n\n\n                                                                                       4\n\x0cAUDIT OBJECTIVES\nThe Office of Inspector General, Information Technology and Special Audits Division,\nincluded this audit in its fiscal year 2007 audit plan to answer the following questions:\n\n   1. Did USAID develop a complete inventory of existing Internet Protocol version 6\n      compliant devices in accordance with Office of Management and Budget\n      guidance?\n\n   2. Did USAID complete an analysis to determine the fiscal and operational impacts\n      and risks of migrating to Internet Protocol version 6 in accordance with Office of\n      Management and Budget guidance?\n\nAppendix I contains a discussion of the audit\xe2\x80\x99s scope and methodology.\n\n\n\n\n                                                                                       5\n\x0cAUDIT FINDINGS\nDid USAID develop a complete inventory of existing Internet\nProtocol version 6 compliant devices in accordance with Office\nof Management and Budget guidance?\nUSAID substantially complied with the Office of Management and Budget\xe2\x80\x99s (OMB)\nmemorandum M-05-22 to prepare a complete inventory of network backbone devices.\n\nOverall, USAID has been responsive to OMB\xe2\x80\x99s Internet Protocol version 6 (IPv6)\ninventory requirements. The Agency developed an initial inventory of its network\nbackbone in November 2005 and an updated listing in June 2006 that totaled about 715\nitems of equipment. USAID subsequently revised its inventory of IPv6 network\nbackbone equipment in November 2007 as a result of newer guidance issued by the\nFederal Chief Information Officers Council (CIOC) that defined a \xe2\x80\x9cnetwork backbone\xe2\x80\x9d\n(i.e., core network) for use by executive agencies in support of OMB M-05-22. As a\nresult of this definitional clarification, USAID\xe2\x80\x99s inventory was reduced to 24 items of\nequipment, which represented the Agency\xe2\x80\x99s metropolitan area network (MAN) 4 as its\nnetwork backbone. The audit team\xe2\x80\x99s verification of the Agency\xe2\x80\x99s inventory list identified\ntwo more pieces of equipment that were not on the Agency\xe2\x80\x99s inventory of 24 items. The\ntwo additional pieces of equipment were determined to be part of the Agency\xe2\x80\x99s network\nbackbone that provided redundancy to maintain availability. Although two items were\nnot included in the Agency\xe2\x80\x99s list, the omission was not considered material. Agency\nofficials indicated that the two items were added after submitting their inventory listing to\nOMB.\n\n\n\n\n4\n   A metropolitan area network (MAN) is a network that interconnects users with computer\nresources in a geographic area or region. The term is applied to the interconnection of networks\nin a city into a larger network.\n\n\n                                                                                              6\n\x0cDid USAID complete an analysis to determine the fiscal and\noperational impacts and risks of migrating to Internet Protocol\nversion 6 in accordance with Office of Management and Budget\nguidance?\nUSAID substantially complied with OMB\xe2\x80\x99s guidance to complete its analysis of fiscal and\noperational impacts and risks of migrating to Internet Protocol version 6.\n\nOMB memorandum M-05-22 required agencies to complete an IPv6 transition impact\nanalysis by June 30, 2006, with the goal of completing a demonstration test of their\nnetwork backbone for IPv6 by June 30, 2008. The USAID lead person responsible for\nthe Agency\xe2\x80\x99s transition to IPv6 stated that the transition impact analysis for IPv6 was\ncompleted within OMB\xe2\x80\x99s June 30, 2006, milestone date. A copy of USAID\xe2\x80\x99s impact\nanalysis was obtained and reviewed. Based on this review, it was found that USAID\xe2\x80\x94\n\n   \xe2\x80\xa2   Completed an IPv6 transition impact analysis as required.\n   \xe2\x80\xa2   Identified key concerns and some possible solutions.\n   \xe2\x80\xa2   Prepared a cost budget addendum to support the impact analysis.\n\nUSAID\xe2\x80\x99s impact analysis identified risks that included security, investment funding,\nimmature technology, and operational issues for managing an IPv6 network. It also\nprovided mitigating approaches to reduce some of the identified risks. The Agency\nproposed solutions to address some of the risks that were based on assumptions\ndeveloped prior to the June 2006 OMB milestone date. Among the concerns that the\nAgency identified in its impact analysis were the following information security and\ntraining risks:\n\n   \xe2\x80\xa2   Information Security \xe2\x80\x93 The new protocol [IPv6] is a significant change in how\n       networks transport information. All existing tools, along with relative policies and\n       procedures, need to be evaluated to see if they can provide the same\n       functionality or if they need to be modified, replaced, or augmented\xe2\x80\xa6and that\n       USAID needs to provide the same or greater protection in the IPv6 environment\n       as is in place for IPv4.\n   \xe2\x80\xa2   Training \xe2\x80\x93 The security operations staff would need training and additional tools\n       to be able to identify IPv6 traffic for the types of vulnerabilities they protect\n       against now using IPv4. Additionally, the Agency would need to develop a\n       training plan for the various operating groups [formerly IRM Operations] within\n       the Office of the Chief Information Officer.\n\nThe risks identified in the Agency\xe2\x80\x99s impact analysis are not considered to be urgent\nconcerns that require immediate attention because the Agency\xe2\x80\x99s network has not\ntransitioned to IPv6. However, the concerns are significant issues to be considered\nwhen supporting a network transitioning to IPv6. In its impact analysis, the Agency\nrecognized that some risks could not be addressed based on the technological maturity\nof available products, technical standards, and specifications existing at that time.\n\nAs of May 2008, there still was no immediate urgency for the Agency to adopt IPv6,\nparticularly when IPv6 standards and technical requirements for the U.S. Government\ncontinue to evolve. The U.S. Government, however, continues to make progress in\n\n\n\n                                                                                         7\n\x0caddressing the IPv6 challenge by developing technical standards, specifications, and\ntesting programs.\n\nFor example, the NIST publication \xe2\x80\x9cA Profile for IPv6 in the U.S. Government \xe2\x80\x93 Version\n1.0, Special Publication 500-267 (2nd draft)\xe2\x80\x9d and its associated proposed testing\nprogram are to provide the technical basis upon which long-term U.S. Government IPv6\nadoption plans and policies can be based. The profile is not intended for near-term uses\n(e.g., the June 2008 requirements described in M-05-22). Instead, as a forward-looking\nstrategic plan, the profile\xe2\x80\x99s recommendations are targeted for 2010 and beyond.\nAdditionally, the NIST publication states that \xe2\x80\x9cwhile significant commercial\nimplementations have and continue to emerge, broad vendor product lines are currently\nat varying levels of maturity and completeness. Until there is time for significant market\nforces to effectively define de facto standard levels of completeness and correctness,\nproduct testing services are likely needed to ensure the confidence and to protect the\ninvestment of early IPv6 adopters.\xe2\x80\x9d\n\nBecause testing services and standards have not been finalized, USAID officials\nindicated that they have relied on vendor representations and the Agency\xe2\x80\x99s own testing\nfor IPv6 capability. USAID has been identifying and replacing non-IPv6 network\nbackbone equipment as part of its multiyear technology refresh program to replace older\nequipment. The Agency plans to disable IPv6 on its production network (i.e., outside a\ntest lab environment) after its IPv6 demonstration test to OMB. 5\n\nHowever, USAID\xe2\x80\x99s management provided comments that the Agency will continue to\ntest products supporting IPv6 and update how it would address identified risks in its\nimpact analysis beyond June 2008 on the basis of research and testing.\n\n\n\n\n5\n   Subsequent to the fieldwork, the Agency notified OMB on June 10, 2008, that it had completed\nits IPv6 demonstration test through the Internet with external peers in March 2008. The OIG did\nnot review the IPv6 demonstration test results.\n\n\n                                                                                             8\n\x0cEVALUATION OF\nMANAGEMENT COMMENTS\nIn its response to the draft report, USAID did not have any comments regarding the\nfindings. USAID\xe2\x80\x99s comments from the Office of the Chief Information Officer are\nincluded in appendix II.\n\n\n\n\n                                                                                9\n\x0c                                                                             APPENDIX I\n\n\n\nSCOPE AND METHODOLOGY\nScope\nThe Office of Inspector General, Information Technology and Special Audits Division,\nperformed this audit to determine whether USAID developed, in accordance with Office\nof Management and Budget (OMB) guidance, (1) a complete inventory of existing\nInternet Protocol version 6 (IPv6) compliant devices and (2) a complete analysis of fiscal\nand operational impacts and risks of migrating to IPv6.\n\nWe conducted this performance audit in accordance with generally accepted\nGovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\nAudit fieldwork was conducted between November 2007 and May 2008, primarily at\nUSAID headquarters in Washington, DC; the Tech Hub in Rosslyn, VA; and the\nBeltsville Information Management Center and the Teleport Center in Laurel, MD. The\naudit team met several times with the IPv6 project team lead and USAID technical and\nnetwork experts associated with the project.\n\nIn support of our audit objectives, we evaluated the Agency\xe2\x80\x99s actions and responses to\nOMB memorandum M-05-22 requirements and milestones for transitioning from IPv4 to\nIPv6. Specifically, we evaluated whether the Agency\xe2\x80\x94\n\n              By November 15, 2005\n                 \xe2\x80\xa2 Completed an inventory of IP-aware devices in its network\n                    backbone.\n              By June 30, 2006\n                 \xe2\x80\xa2 Completed an inventory of IP-aware applications and peripherals\n                    with dependencies on its network backbone.\n                 \xe2\x80\xa2 Completed an IPv6 transition impact analysis.\n              By June 30, 2008\n                 \xe2\x80\xa2 Is on target to complete its network backbone transition to IPv6.\n\nThe audit reviewed interpretive documentation issued by the Federal Chief Information\nOfficers Council\xe2\x80\x99s (CIOC) Architecture and Infrastructure\xe2\x80\x99s IPv6 Working Group,\nproposed Federal Acquisition Regulations for IPv6, and the National Institute of\nStandards and Technology\xe2\x80\x99s (NIST) \xe2\x80\x9cA Profile for IPv6 in the U.S. Government \xe2\x80\x93 Version\n1.0, Special Publication 500-267,\xe2\x80\x9d in support of OMB M-05-22. We also obtained and\nreviewed a joint publication issued by NIST and the National Telecommunications and\nInformation Administration, titled \xe2\x80\x9cTechnical and Economic Assessment of Internet\nProtocol Version 6 (IPv6),\xe2\x80\x9d dated January 2006.\n\nWe also included in our scope the control procedures for the disposal and surplus of\nexcess equipment to ensure that any nonvolatile memory or other data storage\n\n\n\n                                                                                       10\n\x0ccomponent within the Agency\xe2\x80\x99s network backbone was effectively erased upon device\ndisposal or surplus. Additionally, OMB, through guidance issued by the CIOC, required\ndemonstration of IPv6 network backbone compliance for the June 30, 2008, milestone\nby having executive agencies perform specific tests and document the results.\nConsequently, we obtained and reviewed documentation on the IPv6 test procedures\nand applicable test results that were performed in 2007 by USAID engineers and\nsystems contractors to show support for the Agency\xe2\x80\x99s compliance. At the start of this\naudit, the Agency had not yet completed its demonstration tests through the Internet with\nexternal peers; however, the Agency planned to complete these tests prior to June 30,\n2008. Subsequent to our fieldwork, the Agency notified OMB on June 10, 2008, that it\nhad completed its IPv6 demonstration test through the Internet with external peers in\nMarch 2008. We did not review the March 2008 IPv6 test results.\n\nMethodology\nFor the first audit objective, we obtained and reviewed the Agency\xe2\x80\x99s inventory list of\nexisting network backbone devices that represented its metropolitan area network\n(MAN). To determine the accuracy and completeness of the Agency\xe2\x80\x99s network\nbackbone inventory listing, we (1) traced all 24 items on the inventory list to their\nphysical locations and (2) traced equipment items at their physical locations that were\nidentified by Agency engineers as belonging to the network backbone (i.e., MAN) to the\nequipment inventory list. For the purposes of this test, we established a 10 percent\nmateriality threshold, which meant that three or more items identified as deficient would\nbe deemed material.\n\nFor the second audit objective, we obtained a copy of the Agency\xe2\x80\x99s impact analysis to\ndetermine whether it was completed. We interviewed the Agency IPv6 project lead to\nlearn how the analysis was prepared and reviewed, and discussed the strategy for\nmitigating risks and concerns identified in the Agency\xe2\x80\x99s impact analysis. We reviewed\nguidance issued by the CIOC to identify some of the elements that may be considered in\nan agency\xe2\x80\x99s impact analysis for migrating to IPv6. Based on our review of the potential\nelements that could be represented in an impact analysis and the content of the\nAgency\xe2\x80\x99s impact analysis, we subjectively concluded that the analysis was substantially\ncomplete for meeting and addressing risks associated with the June 30, 2008, network\nbackbone demonstration test.\n\n\n\n\n                                                                                      11\n\x0c                                                                           APPENDIX II\n\n\n\nMANAGEMENT COMMENTS\n\n\n                                                    August 20, 2008\n\n\nMEMORANDUM\n\n\nTO:           IG/A/ITSA, Melinda G. Dempsey\n\nFROM:         M/CIO, Phil Heneghan /s/\n\nSUBJECT: Draft Audit of USAID\xe2\x80\x99s Implementation of Internet Protocol Version 6 (Audit\nReport No. A-000-08-XXX-P)\n\n\nThank you for the opportunity to comment on the Draft Audit of USAID\xe2\x80\x99s Implementation\nof Internet Protocol Version 6 (Audit Report No. A-000-08-XXX-P)\n\nAfter extensive review, the Office of the Chief Information Officer has no comments on\nthe Findings.\n\nPlease accept my thanks for the cooperation and courtesies extended to my staff duing\nthis audit by members of your office.\n\n\n\n\nCc:     Carl Crawford\n        Gretchen Larrimer\n\n\n\n\n                                                                                         12\n\x0cU.S. Agency for International Development\n        Office of Inspector General\n        1300 Pennsylvania Ave, NW\n          Washington, DC 20523\n            Tel: (202) 712-1150\n            Fax: (202) 216-3047\n            www.usaid.gov/oig\n\x0c'